Allow setting of the passphrase encoding of pkcs#12 files.

New option --p12-charset.
author: Werner Koch <wk@gnupg.org> 2007-03-20 11:00:55 +0100
committer: Werner Koch <wk@gnupg.org> 2007-03-20 11:00:55 +0100
commit: fd628ffda1baf5a8b1a7264ae9900801a7174269 (patch)
tree: 7b1b5a858a167e851f3a3a22441dcce1f1323ac8 /agent
parent: * PKCS#12 import now tries several encodings in case the passphrase (diff)
download: gnupg2-fd628ffda1baf5a8b1a7264ae9900801a7174269.tar.xz
gnupg2-fd628ffda1baf5a8b1a7264ae9900801a7174269.zip
4 files changed, 81 insertions, 10 deletions
diff --git a/agent/ChangeLog b/agent/ChangeLog
index 3afb61dc4..ea0fbe6e5 100644
--- a/agent/ChangeLog
+++ b/agent/ChangeLog
@@ -1,3 +1,8 @@
+2007-03-20  Werner Koch  <wk@g10code.com>
+
+	* protect-tool.c: New option --p12-charset. 
+	* minip12.c (p12_build): Implement it.
+
 2007-03-19  Werner Koch  <wk@g10code.com>
 
 	* minip12.c: Include iconv.h.
diff --git a/agent/minip12.c b/agent/minip12.c
index d6029f7b0..6958e5e1d 100644
--- a/agent/minip12.c
+++ b/agent/minip12.c
@@ -28,11 +28,11 @@
 #include <assert.h>
 #include <gcrypt.h>
 #include <iconv.h>
+#include <errno.h>
 
 #ifdef TEST
 #include <sys/stat.h>
 #include <unistd.h>
-#include <errno.h>
 #endif
 
 #include "../jnlib/logging.h"
@@ -518,6 +518,10 @@ decrypt_block (const void *ciphertext, unsigned char *plaintext, size_t length,
     "ISO-8859-8",
     "ISO-8859-9",
     "KOI8-R",
+    "IBM437",
+    "IBM850",
+    "EUC-JP",
+    "BIG5",
     NULL
   };
   int charsetidx = 0;
@@ -2139,25 +2143,75 @@ build_cert_sequence (unsigned char *buffer, size_t buflen,
 }
 
 
-/* Expect the RSA key parameters in KPARMS and a password in
-   PW. Create a PKCS structure from it and return it as well as the
-   length in R_LENGTH; return NULL in case of an error. */
+/* Expect the RSA key parameters in KPARMS and a password in PW.
+   Create a PKCS structure from it and return it as well as the length
+   in R_LENGTH; return NULL in case of an error.  If CHARSET is not
+   NULL, re-encode PW to that character set. */
 unsigned char * 
 p12_build (gcry_mpi_t *kparms, unsigned char *cert, size_t certlen,
-           const char *pw, size_t *r_length)
+           const char *pw, const char *charset, size_t *r_length)
 {
-  unsigned char *buffer;
+  unsigned char *buffer = NULL;
   size_t n, buflen;
   char salt[8];
   struct buffer_s seqlist[3];
   int seqlistidx = 0;
   unsigned char sha1hash[20];
   char keyidstr[8+1];
+  char *pwbuf = NULL;
+  size_t pwbufsize = 0;
 
   n = buflen = 0; /* (avoid compiler warning). */
   memset (sha1hash, 0, 20);
   *keyidstr = 0;
 
+  if (charset && pw && *pw)
+    {
+      iconv_t cd;
+      const char *inptr;
+      char *outptr;
+      size_t inbytes, outbytes;
+
+      /* We assume that the converted passphrase is at max 2 times
+         longer than its utf-8 encoding. */
+      pwbufsize = strlen (pw)*2 + 1;
+      pwbuf = gcry_malloc_secure (pwbufsize);
+      if (!pwbuf)
+        {
+          log_error ("out of secure memory while converting passphrase\n");
+          goto failure;
+        }
+
+      cd = iconv_open (charset, "utf-8");
+      if (cd == (iconv_t)(-1))
+        {
+          log_error ("can't convert passphrase to"
+                     " requested charset `%s': %s\n",
+                     charset, strerror (errno));
+          gcry_free (pwbuf);
+          goto failure;
+        }
+
+      inptr = pw;
+      inbytes = strlen (pw);
+      outptr = pwbuf;
+      outbytes = pwbufsize - 1;
+      if ( iconv (cd, (ICONV_CONST char **)&inptr, &inbytes,
+                      &outptr, &outbytes) == (size_t)-1) 
+        {
+          log_error ("error converting passphrase to"
+                     " requested charset `%s': %s\n",
+                     charset, strerror (errno));
+          gcry_free (pwbuf);
+          iconv_close (cd);
+          goto failure;
+        }
+      *outptr = 0;
+      iconv_close (cd);
+      pw = pwbuf;
+    }
+
+
   if (cert && certlen)
     {
       /* Calculate the hash value we need for the bag attributes. */
@@ -2219,6 +2273,11 @@ p12_build (gcry_mpi_t *kparms, unsigned char *cert, size_t certlen,
   buffer = create_final (seqlist, pw, &buflen);
 
  failure:
+  if (pwbuf)
+    {
+      wipememory (pwbuf, pwbufsize);
+      gcry_free (pwbuf);
+    }
   for ( ; seqlistidx; seqlistidx--)
     gcry_free (seqlist[seqlistidx].buffer);
 
diff --git a/agent/minip12.h b/agent/minip12.h
index 6275f9ccb..7977fcb02 100644
--- a/agent/minip12.h
+++ b/agent/minip12.h
@@ -31,7 +31,8 @@ gcry_mpi_t *p12_parse (const unsigned char *buffer, size_t length,
 
 unsigned char *p12_build (gcry_mpi_t *kparms,
                           unsigned char *cert, size_t certlen,
-                          const char *pw, size_t *r_length);
+                          const char *pw, const char *charset,
+                          size_t *r_length);
 
 
 #endif /*MINIP12_H*/
diff --git a/agent/protect-tool.c b/agent/protect-tool.c
index 8f974e2da..937b0ef0c 100644
--- a/agent/protect-tool.c
+++ b/agent/protect-tool.c
@@ -65,6 +65,7 @@ enum cmd_and_opt_values
 
   oP12Import,
   oP12Export,
+  oP12Charset,
   oStore,
   oForce,
   oHaveCert,
@@ -96,6 +97,7 @@ static int opt_have_cert;
 static const char *opt_passphrase;
 static char *opt_prompt;
 static int opt_status_msg;
+static const char *opt_p12_charset;
 
 static char *get_passphrase (int promptno, int opt_check);
 static char *get_new_passphrase (int promptno);
@@ -118,8 +120,10 @@ static ARGPARSE_OPTS opts[] = {
   { oShowShadowInfo,  "show-shadow-info", 256, "return the shadow info"},
   { oShowKeygrip, "show-keygrip", 256, "show the \"keygrip\""},
 
-  { oP12Import, "p12-import", 256, "import a PKCS-12 encoded private key"},
-  { oP12Export, "p12-export", 256, "export a private key PKCS-12 encoded"},
+  { oP12Import, "p12-import", 256, "import a pkcs#12 encoded private key"},
+  { oP12Export, "p12-export", 256, "export a private key pkcs#12 encoded"},
+  { oP12Charset,"p12-charset", 2,
+    "|NAME|set charset for a new PKCS#12 passphrase to NAME" },
   { oHaveCert, "have-cert", 0,  "certificate to export provided on STDIN"},
   { oStore,     "store", 0, "store the created key in the appropriate place"},
   { oForce,     "force", 0, "force overwriting"},
@@ -127,6 +131,7 @@ static ARGPARSE_OPTS opts[] = {
   { oHomedir, "homedir", 2, "@" }, 
   { oPrompt,  "prompt", 2, "|ESCSTRING|use ESCSTRING as prompt in pinentry"}, 
   { oStatusMsg, "enable-status-msg", 0, "@"},
+
   {0}
 };
 
@@ -987,7 +992,7 @@ export_p12_file (const char *fname)
   kparms[8] = NULL;
 
   key = p12_build (kparms, cert, certlen,
-                   (pw=get_new_passphrase (3)), &keylen);
+                   (pw=get_new_passphrase (3)), opt_p12_charset, &keylen);
   release_passphrase (pw);
   xfree (cert);
   for (i=0; i < 8; i++)
@@ -1101,6 +1106,7 @@ main (int argc, char **argv )
         case oShowKeygrip: cmd = oShowKeygrip; break;
         case oP12Import: cmd = oP12Import; break;
         case oP12Export: cmd = oP12Export; break;
+        case oP12Charset: opt_p12_charset = pargs.r.ret_str; break;
 
         case oPassphrase: opt_passphrase = pargs.r.ret_str; break;
         case oStore: opt_store = 1; break;
author	Werner Koch <wk@gnupg.org>	2007-03-20 11:00:55 +0100
committer	Werner Koch <wk@gnupg.org>	2007-03-20 11:00:55 +0100
commit	fd628ffda1baf5a8b1a7264ae9900801a7174269 (patch)
tree	7b1b5a858a167e851f3a3a22441dcce1f1323ac8 /agent
parent	* PKCS#12 import now tries several encodings in case the passphrase (diff)
download	gnupg2-fd628ffda1baf5a8b1a7264ae9900801a7174269.tar.xz gnupg2-fd628ffda1baf5a8b1a7264ae9900801a7174269.zip